Skip to main content

Shared objects

Flash Player provides the ability to use shared objects , which are ActionScript objects that persist outside of a SWF file, either locally on a user's file system or remotely on an RTMP server. Shared objects, like other media in Flash Player, are partitioned into security sandboxes. However, the sandbox model for shared objects is somewhat different, because shared objects are not resources that can ever be accessed across domain boundaries. Instead, shared objects are always retrieved from a shared object store that is particular to the domain of each SWF file that calls methods of the SharedObject class. Usually a shared object store is even more particular than a SWF file's domain: by default, each SWF file uses a shared object store particular to its entire origin URL. For more information on shared objects, see Shared objects.

A SWF file can use the localPath parameter of the SharedObject.getLocal() and SharedObject.getRemote() methods to use a shared object store associated with only a part of its URL. In this way, the SWF file can permit sharing with other SWF files from other URLs. Even if you pass '/' as the localPath parameter, this still specifies a shared object store particular to its own domain.

Users can restrict shared object access by using the Flash Player Settings dialog box or the Settings Manager. By default, shared objects can be created up to a maximum of 100 KB of data per domain. Administrative users and users can also place restrictions on the ability to write to the file system. For more information, see Administrator controls and User controls.

You can specify that a shared object is secure, by specifying true for the secure parameter of the SharedObject.getLocal() method or the SharedObject.getRemote() method. Note the following about the secure parameter:

  • If this parameter is set to true, Flash Player creates a new secure shared object or gets a reference to an existing secure shared object. This secure shared object can be read from or written to only by SWF files delivered over HTTPS that call SharedObject.getLocal() with the secure parameter set to true.

  • If this parameter is set to false, Flash Player creates a new shared object or gets a reference to an existing shared object that can be read from or written to by SWF files delivered over non-HTTPS connections.

If the calling SWF file is not from an HTTPS URL, specifying true for the secure parameter of the SharedObject.getLocal() method or the SharedObject.getRemote() method results in a SecurityError exception.

The choice of a shared object store is based on a SWF file's origin URL. This is true even in the two situations where a SWF file does not originate from a simple URL: import loading and dynamic loading. Import loading refers to the situation where you load a SWF file with the LoaderContext.securityDomain property set to SecurityDomain.currentDomain. In this situation, the loaded SWF file will have a pseudo-URL that begins with its loading SWF file's domain and then specifies its actual origin URL. Dynamic loading refers to the loading of a SWF file using the Loader.loadBytes() method. In this situation, the loaded SWF file will have a pseudo-URL that begins with its loading SWF file's full URL followed by an integer ID. In both the import loading and dynamic loading cases, a SWF file's pseudo-URL can be examined using the LoaderInfo.url property. The pseudo-URL is treated exactly like a real URL for the purposes of choosing a shared object store. You can specify a shared object localPath parameter that uses part or all of the pseudo-URL.

Users and administrators can elect to disable the use of third-party shared objects. This is the usage of shared objects by any SWF file that is executing in a web browser, when that SWF file's origin URL is from a different domain than the URL shown in the browser's address bar. Users and administrators may choose to disable third-party shared object usage for reasons of privacy, wishing to avoid cross-domain tracking. In order to avoid this restriction, you may wish to ensure that any SWF file using shared objects is loaded only within HTML page structures that ensure that the SWF file comes from the same domain as is shown in the browser's address bar. When you attempt to use shared objects from a third-party SWF file, and third-party shared object use is disabled, the SharedObject.getLocal() and SharedObject.getRemote() methods return null. For more information, see www.adobe.com/products/flashplayer/articles/thirdpartylso.